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Abstract. Attacks on classical cryptographic protocols are usually modeled by allowing an adversary 
to ask queries from an oracle. Security is then defined by requiring that as long as the queries satisfy 
some constraint, there is some problem the adversary cannot solve, such as compute a certain piece of 
information. In this paper, we introduce a fundamentally new model of quantum attacks on classical 
cryptographic protocols, where the adversary is allowed to ask several classical queries in quantum 
superposition. This is a strictly stronger attack than the standard one, and we consider the security of 
several primitives in this model. We show that a secret-sharing scheme that is secure with threshold 
t in the standard model is secure against superposition attacks if and only if the threshold is lowered 
to t/2. We use this result to give zero-knowledge proofs for all of NP in the common reference string 
model. While our protocol is classical, it is sound against a cheating unbounded quantum prover and 
computational zero-knowledge even if the verifier is allowed a superposition attack. Finally, we consider 
multiparty computation and show that for the most general type of attack, simulation based security 
is not possible. Elowever, putting a natural constraint on the adversary, we show a non-trivial example 
of a protocol that can indeed be simulated. 



1 Introduction 

Attacks on classical cryptographic protocols are usually modeled by allowing an adversary to ask 
queries from an oracle, for instance the adversary specifies a subset of parties he wants to corrupt, 
and gets back their views of the protocol. Security is then defined by requiring that as long as the 
queries satisfy some constraint (for instance, the corrupted subset is not too large), there is some 
problem the adversary cannot solve, such as compute a certain piece of information. 

Several previous works consider what happens to security if we allow the adversary to be 
quantum. The model usually considered is that the adversary is now a quantum machine, but 
otherwise plays exactly the same game as in a classical attack, i.e., he still communicates classically 
with the protocol he attacks. One example of this is the work of Watrous, showing that a large 
class of zero-knowledge protocols are also zero-knowledge against a quantum verifier. 

It is natural to ask why we constrain a quantum adversary to communicate classically during the 
attack? The standard answer to this is that since honest players are classical, they would (implicitly) 
be doing a measurement of anything they receive, thus forcing a collapse of any quantum state they 
are given. 

An important point, however, is that the assumption about honest players being classical is not 
always justified, even if the protocol is supposed to be classical: in the future, honest players may use 
quantum computing, just to speed up their local computation, even if they sometimes communicate 
classically. Furthermore, future usage of quantum cryptography will imply that players sometimes 
communicate quantumly (to do quantum key distribution) and sometimes classically. Finally, one 
should consider the case where a classical protocol is used as a subrutine for a protocol that handles 
quantum data. This is exactly what happens in the work of Ben-Or et al. |BCG"'"05] . where classical 
multiparty computation is used as a tool to obtain quantum multiparty computation. 



Now, if a quantum adversary is attacking honest players that use quantum computing or even 
quantum communication themselves, it docs not seem justified to assume that he can only com- 
municate classically with them. Indeed, as an example, consider a zero-knowledge protocol where 
the prover is implemented as a small quantum device sitting inside a mobile unit, say a PDA or 
a smart-phone. If an adversary gets hold of the unit, he may not be able to break in and directly 
read the prover's secret. But he can try to subject the device to unusual physical conditions, say 
by cooling it down and in this way perhaps be able to communicate quantumly with the prover, 
even if the device was not designed for this in the first place. 

In this paper, we therefore introduce a new model of quantum attacks on classical cryptographic 
protocols, where the adversary is allowed to ask several classical queries in quantum superposition. 
In more concrete terms, we ask, for multiparty protocols: what happens if the adversary can be in 
superposition of having corrupted several different subsets? or, for zero-knowledge protocols: what 
happens if a quantum verifier can be in superposition of having issued several different challenges 
to the prover? As we argued above, we believe such superposition attacks to be a valid physical 
concern, but they also form a very natural generalization from a theory point of view: in the 
literature on black-box quantum computing, quantum black-box access to a function is usually 
defined by extending classical black-box access such that queries are allowed to contain several 
inputs in superposition. Our superposition attacks extend classical attacks in the same way. 

Superposition attacks are strictly stronger than the standard one, and we consider the security 
of several primitives in this model: We show that a secret-sharing scheme that is perfectly secure 
with threshold t in the standard model is perfectly secure against superposition attacks if and 
only if the adversary's superposition is constrained to contain subsets of size at most t/2. If this 
condition is not satisfied, not only docs perfect security fail, we show examples where the adversary 
may even learn the secret with certainty. 

We use the secret-sharing result to construct zero-knowledge proofs for all of NP in the com- 
mon reference string (CRS) model. While our protocol is classical, it is sound against a cheating 
unbounded quantum prover and computational zero-knowledge even if the verifier is allowed a su- 
perposition attack. Since we use the CRS model, the reader may ask why wc do not use existing 
protocols for non-interactive zero- knowledge (NIZK), where the prover just sends a single message 
to the verifier. In this way, the adversary would not get a chance to do a superposition attack. 
However, the most general assumption under which NIZK is known to be possible is existence 
of one-way permutations. They in turn are only known to be realizable under assumptions that 
are easily broken by a quantum adversary, such as factoring or discrete log. Therefore we do not 
consider NIZK a satisfactory solution. 

Finally, we consider multiparty computation and we define a UC-style model for static and pas- 
sive superposition attacks on classical MPC protocols. Given our result on secret-sharing schemes, 
it is natural to speculate that classical MPC protocols that are secure against t corruptions, are 
secure against superposition attacks corrupting t/2 players. The situation turns out to be more 
complicated, however: We show that for the model that gives the adversary the most power (and 
hence is the most hostile to the simulator), simulation based security is not possible at all. The 
adversary can put its query in a state that prevents the simulator from learning any information 
on the inputs and outputs of corrupted players. However, putting a natural constraint on the ad- 
versary, we show a non-trivial example of a protocol that can indeed be simulated. By non-trivial, 
we mean that although the protocol is secure against a classical attack, we can show that it cannot 
be proved secure against a superposition attack by simply running the classical simulator in super- 
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position. We therefore come up with techniques that are "more quantum" to do the simulation. 
We give a (in completely classical terms) a characterization of the protocols that can be simulated 
using these techniques. The obtained simulators are not necessarily efficient, however. 

Whether more general positive results hold in this constrained model remains an open question. 
Likewise, the very natural question of security of quantum protocols against superposition attacks 
remains open. Note that in existing work on quantum multiparty computation BCG"'"05 , the 



adversary's choice of subset to corrupt is classical. The negative part of our result on secret sharing 
described above shows that the protocol from [BCG+05] is not secure against superpositions attacks 
as it stands. 



2 Preliminaries 



2.1 Notation and terminology 

We will model players in protocols in two different ways: when we are not interested in computa- 
tional limitations on parties, a player will be specified by a series of unitary transforms where the 
z'th transform is done on all qubits available to the party, after the i'th message has been received 
(in the form of a quantum register), and then some designated part of the storage is sent as the 
next outgoing message. We are limiting ourselves to perfect unitary transformation of the party's 
register because we are exactly considering the situation where an attacker manages to prevent 
coupling between the party and the environment. 

In cases where we want to bound the computational complexity of a player, we consider a 
players to be an infinite family of interactive quantum circuits, as in the model from |FS09] . and 
then the complexity is circuit size. 



2.2 Running functions in superposition 

Consider any function, f : X ^ Y and a register of qubits, {ip) = ^^aa;|a;)|0) G Hx ^5 "Hy, where 

X 

dim{y.x) = \X\ and dim{HY) = |^|- Running f on {ip) means to apply the unitary transforma- 
tion, Uf, such that U j ""^^ ax\x)\0) = ''^^ax\x)\f{x)). In general the register in Tiy, called the 

X X 

response register, can contain any superposition of values, not just 0. In this case, we have that, 
Uf ''^^ax,a\x)\a) = ''^^ax,a\x)\f{x) © a) where © is the bitwise xor. 

x,a X 



3 Secret sharing 



In (classical) secret sharing n parties are sharing some secret value s G S using randomness r G TZ, 
where S and TZ is the set of possible secrets and randomness. We name the parties Pi, . . . , P„. Let 
[n] = {1,... ,n}. Each party, Pi, receives a share Vi{s,r) G {0,1}^, also called his private view . 
That is, : S X 7^ — )• {0,1}'^. For A C [n], let VA{s,r) = {vi{s,r)}i^A be the string containing 
the concatenation of views for parties Pi with i € A. For convenience in the following we assume 
that each such string is padded, so that they have the same length regardless of the size of A. 
That is, : S X 7^ — )• {0, 1}*. An adversary structure G is a family of subsets G C 2^n]. A secret 
sharing scheme is perfectly secure against classical G-attacks if for any A £ G, the distribution of 
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VA{s,r) docs not depend on s. The adversary structure of the secret sharing scheme is the maximal 
adversary structure F such that the scheme is perfectly secure against F attacks. 

We'll model any passive attack on the scheme as an one-time query to an corruption oracle. The 
corruption oracle for a specific run of a secret sharing scheme 0{s,r,A) = VA{s,r) is the function 
that on input A returns the private view of those parties. That is, O : S (g) 7?. (g) F ^ {0, 1}*. 



3.1 Two-party bit sharing example 

Before we give the full model for secret sharing we start with a small example. We consider the 
case of 2 parties sharing a single bit, b £ {0,1} using a random bit r G {0,1}. [n] = {1,2}, 
F = {(1), (2)}, vi{b,r) = 6© r, V2{b,r) = r. This scheme is trivially secure in the classical setting. 
In the follow we'll consider what happens if we allow the adversary to interact with the corruption 
oracle in superposition. As this is meant to introduce the concept, we'll cut a few corners in terms 
of technicality and and reserve that for the later sections. 

Assuming some specific bit has been shared with some specific randomness, we can write the state 
of the parties as \vi{b,r)) £ T-L2 and \v2{b,r)) G 7i2- Consider an adversary supplying the following 
input to the corruption oracle, 

|a;) = i=(|l)|0) + |2)|0)). 

The oracle will run on both of these input in superposition. The state the adversary receives will 
be a mixed state over different choices of randomness and secrets. We'll assume both of these are 
uniformly chosen and he'll hence receive, 



6e{o,i},re{o,i} 



where = ^(|l)|wi(6,r)) + |2)|u2(6,r))) = ^(|1)|6 © r) + |2)|r)). Define the state the adver- 

sary sees for a specific secret, 6, as p^"'" = -\tpbp){i^bp\. We would consider our bit sharing 

re{0,l} 

scheme secure iff for all possible queries, Pq^^ = p\'^'" . However, note that. 



„adv 
Pb 



= E ^|<fX<i = ^ E I^X^I^f E Mb,r)){vAib,r)\ 
re{0,l} A,A'e{i,2} \re{o,i} ^ 



For A = 1, A' = 2, consider the submatrix, \vi{b, r)) {v2{b, r)\ = \b(B r){b\. It should be 

re{o,i} r-e{o,i} 
clear that E |0 © r)(0| ^ E |1 ® hence pg^'" ^ Pi^^ , which means the scheme is not 

re{o,i} r-e{o,i} 
secure if we allow the adversary to run the corruption oracle in superposition. This is not surprising 
since we know that using the Deutch- Josza algorithm you can actually distinguish between two such 
shares perfectly. Note that to do it perfectly it would require the use of a superposition of values 
for the response registers. 
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3.2 Model for secret sharing 

We'll now give the full technical description of the model for superposition attacks on general secret 

sharing. To do this we first consider the state spaces needed to run the protocol and the attack on 
the protocol. First is the space that contains the shares for all the parties, Hparties- The state in 
the register for this space is unchanged throughout the attack and is, 

\parties)p= ^ VpIVP^\s,r,vin^{s,r))^= ^ ^/pI^/p^\s,r) (^\vi{s,r)) e T-Lparties 

sGS,reTZ seS,reTZ i 

where \s,r) is the purification of the secret and randomness choice. This is purely for technical 
reasons and does not matter for the adversary as he never sees it (and hence they might as well be 

considered measured). Next is the space for the environment, Henv, which the adversary can use 
to choose his query and use as potential auxiliary register. The initial state for the environment is 
a general (pure) state, 

X 

Finally is the space holding the adversary's query to the corruption oracle, %query This is initially 
a 'blank' state. 

The space for the entire model is hence, Htotal = T^parties ® 'Henv ® 'Hquery and the intial state is, 

\init)^= ^ VpIVp^\s,r,vin]{s,r))^(g)^aa;\x)^(g)\0,0)gentotal- 

The attack will be defined by two operations and an adversary structure F. First the adversary 
needs to construct his query for the oracle. This includes choosing the superposition of subsets he'll 
corrupt and associated values for the response registers. This is an arbitrary unitary operation. 
We'll denote it, U query , 

^ query ' ^env T^query ^ 'Henv "Hquery 

After this unitary operation the state is, 

\query)^ = U^^l;.^\init)^= ^ ^/p's^/p'r\s,r,v^n^^{s,r)) ^® ^ oi:c,A,a\x) e®\^^(^) q ^^total 

seS,ren x,AGF,aG{0,iy 

where we assume it is the identity on Hparties Next the oracle, 0(s, r. A), is run. Let Uq denote the 
unitary applying this function. The state afterwards is, 

Ifinal)^ = Uo\query)^ = 

XI VP^VP^\s,r,V[n]{s,r))^^ X o:x,A,a\x)^0\A,a + VA{s,r))q^ntotai 
ses,ren x,AeF,ae{o,iy 

were we, again, assume Uq is padded with appropriate identities. Consider the final state the 
adversary sees for a specific secret, s, 

reH 

where \il)r'^'''^) = ^ ax,A,a|a^)e ^\A,a + va{s, r))^. 

x,AeF,ae{i),lY 
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Definition 1. A secret sharing scheme S is perfectly secure against superposition F-attacks if, 
and only if, for all unitary matrices, Uquery '■ T~ienv ® T~iquery T~ienv ® T~iquery o-nd all possible pairs 
of inputs, s, s' G S, 

adv,F _ adv,F 
Ps — Ps' 

For an adversary structure F, we define F"^ = {A\ A = B U C where B,C £ F}. 

Theorem 1. Let G be the classical adversary structure for S. S is perfectly secure against super- 
position F -attacks if and only if F^ C G. 

Proof. For the forward direction, consider the adversary's final state, 

= ^ Prax,A,aal,^A',a'\x)e{x\e'^\'^^"' + '"A{s,r))g{A',a' + VA'{s,r)\^ 

r£Tl,x,x' ,A,AeF,a,a'£{Q,iy 

Now, for any fixed A, A' , a, a' and s, consider the matrix Pr\A, a + va{s, r))^{A' , a + va'{s, r)\^. 

The crucial observation now is that this matrix is in 1-1 correspondence with the joint distribution 
of VA{s,r) and VA'{s,r). Namely, its entries are indexed by pairs of strings (a,/3), where a, (5 are 
strings of the same length. And furthermore the (a,/3)'th entry is the probability that the events 
VA{s,r) = a + a and VA'{s.,r) = j3 + a' occur simultaneously. Now, if C G, we have that 
S is perfectly secure against classical F^-attacks. Therefore the joint distribution of VA{s,r) and 
VA'{s, r) does not depend on s, consequently each matrix Pr\^i a + VAir, s))^{A' , a + VA'is, r)\^ 

is independent of s as well. Hence Vs, s' G S : pl'^^'^ = p^f^'^ as required. 

For the only-if part, assume for contradiction that F"^ ^ G, i.e., there exist ^Qj^i such that 
AqU A\ G. It follows that a secret shared using S is uniquely determined from shares in j4o U ^41. 
Then consider the query \uja) = (|^)|0) + |A')|0))/-v/2- By the same computation as above, we see 
that p'^'^'" contains a submatrix of form \aA + VA{s.,r)){aAi + VA'{s^r)\, that corresponds to the 

joint distribution of shares in A and A' . But since the secret is uniquely determined from these 
shares, it follows that this submatrix is different for different secrets, and hence we get that there 
exists a measurement with non-zero bias towards the secret, and so S is not perfectly secure against 
quantum F-attacks. This is exactly the result we saw in the small example in Section [3.11 

3.3 Simplified models for secret sharing 

When formalizing superposition attacks on secret sharing we need to consider if we allow the 
adversary to use different values for the response register. The choice provably make a difference 
for the strength of the model, and both options can be justified from a physical perspective. We 
therefore cover both models. When the adversary runs a classical component in superposition, then 
the reply will in general be a superposition. This opens the question of how the reply is delivered. In 
quantum information processing, it is customary that the result is xor'ed onto a response register 
a supplied along with the input. I.e., for a function / on is given a box which on classical input 
|3;)|a), the output is |3;)|a© fix)). This is convenient, as it is invertible, so the action of the box 
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on a superposition is given by its actions on the classical inputs. This approach is reasonable in 
quantum information processing, as one is typically designing the boxes one self. If / is a database 
one can simply design the quantum version to supply the output by xor'ing it onto a response 
register. Consider, however, the prover in a zero-knowledge proof, which is sent a challenge e and 
then sends back z{e). Even though the prover might be tricked into running on a superposition 
without noticing it, it does not seem reasonable that the prover would not notice it if we sent 
along a response register and asked her to xor her resply onto this register. In such a setting it 
seems more reasonable that the box/prover creates the response registers and returns them to the 
attacker /verifier. We model the setting of created response registers by restricting the more general 
setting of supplied response registers by allowing only a = 0. In that case the response from the 
box would be |x)|/(x)). 



3.4 Attacks on Secret Sharing 

Even if a secret sharing scheme is not perfectly secure according the Theorem [T] it does not tell us 
anything about how much information the adversary can actually gain on the secret. One might 
even hope this could become negligible by increasing the amount of randomness used to create the 
shares. However, in this section we show that, for any two-party Shamir secret sharing scheme, an 
attack can distinguish between to possible secrets with considerable bias. The attack works even in 
the restricted setting of supplied response registers. 

Lemma 1. Consider a two-party Shamir secret sharing scheme S. For any two secrets s,s' £ S : 
s 7^ s' , there exists a query with a = that will allow an adversary to distinguish between the two 
with probability at least Pguess, where 

3 

Pguess ^ ^ 

Proof. The adversary will need no auxiliary register, so let his state simply be the query register. 
He constructs the following (pure state) query 

H = -^(1^0,0) + 1^1,0)) 

where |a;) G Hquery The final state the adversary sees for different secrets is then, 

where IV'"'^'') = ^ -^\A,VA{s,r)) ^ and r e TZ. 
Ae{Ao,Ai} 

It is well-known that the adversary's probability of distinguishing between two such states, 
and pI^^, is Pguess = ^ + i x \pldv ~ Pldv\Tr, where | . . . |Tr denotes the trace norm. Define the 
difference between the two states as the matrix A. 

^ = Padv ~ Padv 

= 2 XI Pr\AvA{s,r))^{A',VA'{s,r)\^- - ^ pr\A,VA{s' ,r)) ^{A' ,va'{s' ,r)\ 

A,A'e{Ao,Ai},r£n A,A'e{Ao,Ai},r 

^\ \YPr\vA{s,r))^{vA'{s,r)\^-]^'^pr\vA[s' ,r))^{vA'[s\r)\\ 

A,A'e{Ao,Ai} \r&n rell J 
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Since the state for any party individually is independent of the secret we have that for all s, s' € S 



^ \vA{s,r)){vA{s,r)\ = ^ \va{s' ,r)){vA{s' ,r)\ 
which means we only need to consider A, A' £ {Aq, Ai}\A ^ A'. 

A = ^\Ao){Ai\ l^Pr\vAo{s,r))g{vAAs,r)\g - ^ "^prlvAois ,r)) ^{vaAs ,r)\^ J 
+ \\Ai){Ao\ (8) l^Pr\vAi{s,r))g{vAo{s,r)\g - ^^pr\vA,{s' ,r)) ^{vao{s' ,r)\^ J 

Define the two submatrices: 

-S* = ^PT\vA^[.s,r))^{vA^{s,r\ - \^^Pr\vA^{s',r))J^VAr{s\r)\^ (1) 

re7^ rG7^ 



5*"^ = ^Pr\vAAs.'r))^(vA^{s,r)\^ - ^ ^p^|?;Ai(s',r))^(?JAo(s',?')|^ 
such that A is the 2 x 2* by 2 x 2* matrix 



^=2UoJ 

It is well-known that if A is of the form ([2]) and has singular values si > ... > Sp then A has 
eigenvalues ±si, ±Sp. Since A is Hermitian, the trace norm is the sum of the absolute eigenvalues. 
From this we conclude that |Z\|Tr = \S\Tr and we can reduce our problem to that of finding the 
trace norm of S. Let 

S = M,- M,/ 
Ms = '^Pr\vAo{s,r)){vA-,{s,r)\ 

Note that for the state to be normalized it must be that 

«je{o,i}* i,je{o,i}*,r 



Now, define the matrix, Mg 



t2-l 

Ms = ^\vAo{s,r)){vAAs,r)\+ ^ 
r&l i=\n\ 
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It's straight forward to see that MgMj = I, 

^\vAo{s,r)){vAAs.r)\+ ^ x ^ \vAAs,r')){vAo{s,r')\+ ^ 

^ren i=\n\ / yr'en i=\-R.\ 

t2-l 

= Yl \'"Ao{s,r)){vAois,r')\{vAAs,r)\\vAi{s,r')) + Y 

r,r'en i=\T^\ 

= Y\vAo{s,r)){vAois,r)\+ ^ = I 
r&n i=\n\ 

t2-l 

Note that ^ is simply used to pad the subspace to ensure that the matrix is unitary. It will 

i=\n\ 

not be of any importance in the following calculations and can simply be ignored. It is well-known 
that 

\S\Tr = maxu{|Tr(5C/)|} 

where U is any unitary matrix. In other words, any specific matrix U is going to give a lower bound 
on the trace norm. Both Mg and MJ are such unitary matrices, 

\S\Tr = maxu{|Tr(SC/)|} > |Tr(5Mj)| 
= |Tr((M,-M,OMj)| 

= 1 J2 i^shAMskj - J2 [Ms']iAMskj\ 

= |1- Yl iM,,]iAMs]i,j\ 
i,je{o,iV 

Now note that 

i,ie{0,l}* i,j£{0,lY,r,r' 

However the pair {vA^)is,r),VAl{s,r)), uniquely defines s and hence the sum is unless s = s'. 
Therefore for s / s' : l^lrr > 1- 

Pguess = 2 + ll^lTr = ^ + -^\S\Tr ^ 2 ^ 4 ^ 4 

which completes the proof. □ 
4 Zero-Knowledge 

In this section, we present a zero-knowledge proof for any NP problem in the common reference 
string model. The proof is sound for an unbounded prover (quantum or not) and is computationally 
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zero-knowledge for a polynomially bounded quantum verifier, even if superposition attacks are 
allowed. 

For the protocol, we need a commitment scheme with special properties: we require a keyed 
commitment scheme Commitpk, where the corresponding public key pk is generated by one of two 
possible key- generation algorithms: Gn or G^- For a key pkH generated by Qn, the commitment 
scheme CommitpkH is unconditionally hiding, whereas the other generator, G^, actually produces a 
key pair (pkB,sk), so that the secret key sk allows to efficiently extract m from ComniitpkB(?7i, r), 
and as such CommitpkB is unconditionally binding. Furthermore, we require that keys pkH and pkB 
produced by the two generators are computationally indistinguishable, for any family of polynomial 
size quantum circuits. We call such a commitment scheme a dual-mode commitment scheme. 0As 
a candidate for implementing such a system, we propose the public-key encryption scheme of 
Regev |Reg05| , which is based on a worst-case lattice assumption and is not known to be breakable 
even by (efficient) quantum algorithms. Regev does not explicitly state that the scheme has the 
property we need, but this is implicit in his proof that the underlying computational assumption 
implies semantic security. H 

4.1 The Model 

We now describe the framework for our protocol: the proof system is specified w.r.t. a language 
L, and we have a prover P and a verifier V, both are assumed classical (when playing honestly). 
They get as input a common reference string CRS chosen with a prescribed distribution a and a 
string X. P and V interact and at the end V outputs accept or reject. The first two properties we 
require are standard: Completeness: ii x € L and P, V follow the protocol, V outputs accept with 
probability 1. Soundness: \{ x ^ L (but CRS is chosen according to a) then for any prover P* , V 
outputs accept with probability negligible (in the length of x) when interacting with P* on input 
X and CRS. 

For zero-knowledge, we extend the capabilities of a cheating verifier V* so it may do a superpo- 
sition attack For simplicity, we give our definition of superposition zero-knowledge only for 3-move 
public coin protocols, i.e., conversations are assumed to have the form (a, e, z), where e is a random 
challenge issued by the verifier. It is not hard to extend the definition but the notation becomes 
more cumbersome. First, V* is assumed to be a quantum machine, and the protocol is executed as 
follows: V* receives x, CRS and P's first message a. Now, in stead of sending a classical challenge 
e, V* is allowed to send a query 

^(^e,y\e)\y). 

We assume the the prover will process the query following his normal algorithm in superposition, 
so the verifier will get the same two registers back, in state 

^ae,y\e)\y + z{x,e,p)), 

^ The notions of dual-mode crypto systems and of meaningful/meaningless encryptions, as introduced in [PVW08] 

and [KN08| . are similar in spirit but differ slightly technically. 
^ The proof compares the case where the public key is generated normally to a case where it is chosen with no 

relation to any secret key. It is then argued that the assumption implies that the two cases are computationally 

indistinguishable, and that in the second case, a ciphertext carries essentially no information about the message. 

This argument implies what we need. 
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where z{x,e,p) is P's response to challenge e on input x and internal randomness p. Finally, V* 
outputs or 1. Let Preaiix) be the probability that 1 is output. We say that the proof system is 
superposition zero-knowledge if there exists an polynomial time quantum machine, the simulator S, 
such that the following holds for any cheating verifier V* and x £ L: S interacts with V* on input 
X, and we let Psim{x) be the probability that V* outputs 1. Then \preai{x) — Psim{x)\ is negligible 
(in the length of x). 

Note that, as usual in the CRS model, S only gets x as input and may therefore generate the 
reference string itself. 

4.2 The Protocol 

We now describe the basic ideas behind our protocol: we will let the CRS contain the following: 
pkB, c = CommitpkB(O), pkB', where the public keys are both generated by Q-q. Then, using a standard 
trick, we will let P show that either x £ L ov c contains a 1. Since of course the latter statement is 
false, P still needs to convince us that x G L. The simulator, on the other hand, can construct a 
reference string where c does contain 1 and simulate by following the protocol. The CRS will look 
the same to the verifier so we just need that the change of witness used is not visible in the proof, 
i.e., the proof should be witness indistinguishable. In this way, we can simulate without rewinding, 
and this allows V* to be quantum. 

However, standard techniques for witness indistinguishability are not sufficient to handle a 
superposition attack. For this, we need to be more specific about the protocol: a first attempt (which 
does not give us soundness) is that P will secret-share his witness w (where for the honest prover, 
w will be a witness for x G L), to create shares si, where we assume the scheme has t-privacy. 
Then P's first message is a set of commitments a = {Coi:auiitp^^'{si,ri), . .., CommitpjjB' (sn; ^"n))- The 
verifier's challenge e will point out a random subset of the commitments, of size t/2, and the prover 
opens the commitments requested. Intuitively, this is zero-knowledge by Theorem [1) since we limit 
the number of shares the verifier can ask for to half the threshold of the secret sharing scheme, the 
state V* gets back contains no information on the secret w. 

On the other hand, this protocol is of course not sound, the verifier cannot check that the 
prover commits to meaningful shares of anything. To solve this, we make use of the "MFC in the 
head" technique from |IKOS09] : Here, we make use of an n-party protocol in which the witness 
w is secret-shared among the player, and a multiparty computation is done to check whether w is 
correct with respect to claim on the the public input, namely in our case x £ L and the c from 
the CRS contains 1. Finally all players output accept or reject accordingly. It is assumed that the 
protocol is secure against active corruption of t players where t is 0{n). We will call this protocol 
'^L,CRS in the following. Several examples of suitable protocols can be found in |IKOS09) . In their 
construction, the prover emulates an execution of vr in his head, and we let Vj^^ ^^^{i, p) denote he 
view of virtual player i, where p is the randomness used. The prover then commits to v-,^^ {hP)-, 
for i = l...n and the verifier ask the prover to open t randomly chosen views that are checked for 
consistency and adherence to ttl,crs- It is shown in |IKOS09j that if no valid witness exists for the 
public input, then the verifier will detect an error with overwhelming probability. 

Now, observe that the process of emulating vr can be thought of as a secret sharing scheme, 
where the prover 's witness w is shared and each VTt{i,p) is a share: indeed any t shares contain no 
information on w by t-privacy of the protocol. Therefore combining this with our rudimentary idea 
from before gives us the solution. 

Superposition-secure zero-knowledge proof for any A^P-language L. 
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The public input is x, of length k bits. The distribution a generates the common reference string 
as pkB,c = CommitpkB(O), pkB', where the public keys are both generated by on input 1*^. 

1. The prover P emulates ttl^crs to generate v-,^^ ^^^{i, p) and sends CominitpijB'('^7ri cfls(^' Z^)' 
for i = to the verifier V . 

2. V sends a challenge e designating a random subset of the commitments of size t/2. 

3. P opens the commitments designated by e, V checks the opened views according to the algorithm 
described in |IKOS09j . and accepts or rejects according to the result. 

Theorem 2. // (^b; Commit) form a secure dual-mode commitment scheme, then the above 
protocol is complete, sound and superposition zero-knowledge. 

Proof. Completeness is trivial by inspection of the protocol. Soundness follows immediately from 
the soundness proof in |IKOS09] . we just have to observe that the fact that the prover opens t/2 
and not t views makes no difference, in fact the proof holds as long as ©{n) views are opened. 
For zero-knowledge, we describe a simulator S: It will generate a common reference string as 
pkH, c = CommitpkH(l), pkH' where both public keys are generated by on inout 1^ . It then plays 
the protocol with V* , answering its quantum queries by following the protocol. This is possible since 
c now contains a 1, so 5" knows a valid witness. To show that V* cannot distinguish simulation 
from protocol, we define series of games 

Game The protocol as described above, but where P talks to V* doing a superposition attack. 

Game 1 As Game 0, but the CRS is generated as pkH, c = Commitp]jH(0), pkB' where pkH is gener- 
ated by Gn and pkB' is generated by Qb. 

Game 2 As Game 1, but the CRS is generated as pkH, c = Commitp]5H(l), pkH' where both public 
keys are generated by Q^i- 

Game 3 As Game 3, but the P uses as witness the fact that c contains a 1. 

Now, Game and Game 1 are computationally indistinguishable by assumption on the dual-mode 
commitment scheme, and the same is true for Game 1 and Game 2. Game 2 and Game 3 are 
statistically indistinguishable by Theorem [T] and the fact that commitments done using pkH' are 
statistically hiding. Finally, note that Game 3 is exactly the same game as the simulation. 

5 Multiparty computation 

In this section we consider the models for MFC protocols. A classical passive attack on a multiparty 
computation protocol looks a lot like the attacks on secret sharing: you query for a subset and get 
back the party's entire view of the protocol. Of course, you can generalize this to a quantum attack 
in the same way. And you can ask if there is some adversary structure for which the protocol would 
be secure against such an attack, assuming classical security. 

Security for MFC protocols is usually defined as an adversary's ability to distinguish between an 
attack in the real world where he's allowed access to a corruption oracle of some subset of the parties 
and an ideal world where the attack is simulated towards the adversary using the ideal functionality 
of the protocol. We hence need to describe both models for the real and for the ideal world. They'll 
need different spaces and different operations to execute. As before, we have n parties running the 
protocol. We name the parties Pi, . . . , Pn. Let [n] = {1, . . . , n}. An adversary structure is F C 2^n]. 
Each party. Pi, has local input, Sj G Sj with is supplied by the adversary and chooses randomness. 
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ri G TZi. ,s G S and r E TZ denotes the concatenation of each of these. Vi{s,r) and Oj(s,r) is the 
private view and output for the party Pi, when the protocol has been run on inputs s and using 
randomness r. Note these are functions and not general quantum operations as the parties, even the 
corrupted ones, are expected to run the protocol honestly. For A C [n], let VA{s,r) = {vi{s,r)}i^A, 
SA = {si}i^A OA{s,r) = {oi{s,r)}i,=A and be strings containing the concatenation of views, input 
and output for parties Pi with i E A. For convenience in the following we assume that each such 
string is padded, so that they have the same length (t bits) regardless of the size of A. 

5.1 MPC model in the 'Real world' 

First we will consider the case of running and attacking the protocol in the real world. As earlier, 
all actions taken by the parties and the adversary will be considered purified so the overall state 
remains pure throughout. Consider the following space, 

T~^total — T~iparties ® T~Lin ^ T~iout ® T^env ^ 'Hquery 

T-Lparties Contains the private views and purification of the randomness for the parties. 
T-Lin contains the input the parties will use to run the protocol. 
Hout is where the output will be stored after running the protocol. 

n f,nv is the environment and is used to store auxiliary input and any auxiliary register needed by 

the adversary. The dimension is therefore arbitrary, though finite. 

%query is where the query to, and response from, the oracle will be stored. 

Each of these subspaces are, of course, of appropriate (and finite) dimension. 

We will break the superposition run, and attack, of a MPC protocol in the real world down 
into four unitaries. After each unitary we will consider the change to the description of the state. 
In the beginning all the registers are blank (ie. have value 0), except the environment, which might 
contain some (purified) auxiliary input for the adversary. The initial state is hence, 

|imt)r = ^a,|0)^|0)JO)Jx-)JO)^ 

X 

where \init)Y" G Utotah \^)p £ ^parties, |0)j G Tiin, |0)„ G Tiout, \0)e e ^env and |0)y G Uquery, as 
should be expected from the notation. The superscript, rw, specifies that it's in the real world. 
The first unitary is applied by the adversary and supplies the inputs to the parties. This is an 
arbitrary unitary operation. We'll denote it, U^^'" , 

The result of this is that the input registers are now filled. These are in superposition over all 
possible inputs. The state after the first unitary is therefore, 

ii)r = E«,,,|o)j.),|o)jx)jo)^ 

x,s 

The protocol is now run honestly without intervention from the adversary. This is a classical function 
run in superposition of the possible inputs and produces a corresponding superposition of private 
views and outputs for the parties. We'll denote this unitary, Urun-, 

^run '• T^parties T^in ® T^out ~^ T^parties ® T^in T^out 
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Recall that we are purifying all actions, hence also the choice of randomness when the protocol is 
run. The state after the second unitary is therefore, 



|2)r = ^ax,sVP^\v[n]{s,r)) \s)i\o[n]{s,r))Jx)JO)^ 



(3) 



x,s,r 



Next the adversary needs to construct his query to the oracle. This includes choosing the superpo- 
sition of subsets he'll corrupt and associated values for the response registers for input, output and 
view. For simplicity we'll sometimes refer to these three values by a. That is, a = {ai, Uo, a^)- This 
is an arbitrary unitary operation. We'll denote it, U query , 



Tjadv,F . nj nj 
query • >^env yy 



query 



env yy I ''query 



The state is now, 



|3> 



rw 
t 



J] «^,«,A,aV^h[n](s,r)>^|s)i|o[„](s,r))^|x)J^,< 



x,s,r,A,a 



Next unitary is applied by the oracle, that, for each corrupted subset in the query, fills the input, 
output and view into the response register supplied by the adversary. This is a classical function 
on each corrupted subset and view in the superposition which fills in the input, output and view 
into the response register. We'll denote this unitary, [7°™'^'^, 

^res ■ "^parties ® 'Hin T~(-out T'^query ^ T~^parties ® T'^in ® T~^-out ® T~iquery 

and the state after the fourth unitary is therefore 

|4>r = ^ ax,s,A,aVP^\v[n]{s,r))^\s)i\oin]{s,r))Jx)JA,ai + SA,ao + OA{s,r),a^ + VA{s,r))^ 

x,s,r,A,a 

The adversary receives the response register and must now guess if he's in the real or ideal world. 
He can do this using the input register, his auxiliary register and the query register. To see the 
adversary's final state we need to trace out the register holding the view of all the parties, 



pZ, = rr,(|4)(4|; 



E 



/PrVPr 



<.'')(€'y|Tr(|>](5,r)>^(^;[„](s^r')|^®|o[„](s,r)>^(o[„](.^. 

r,r',s,s' 
r,r',SyS' 



where iV'r,?) = ^ ax,s,yl,a|s)jk)el^) «i + SA, Oo + oa(s, r), a^, + r))^. It is interesting to note 



x,A,a 



that even though the input register was supplied by the adversary, as the parties run the protocol 
their private state becomes entangled with the input register. This is a register the adversary does 
not have access to and as a consequence he now sees a mixed state over possible inputs. 



We'll sum up these steps below in Figured! 
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Inital state: 


\inity- =^a.\Ol\0),\0) Jx) JO) ^ 


1. 


ii>r = E«-.^io)pi«)Jo)oi^)eio>. 


2. 


jjpro _ ^ f?\'lJ (Vi 'J-/ 1-1 fc^ %/ %/ 

^ run • fl-parties 'o' li-in xy liout ^ liparties W liin W liout 

|2)r = a^,''VP^|^^[n](s,r))^|s).|o[„](s,r))Ja;)jO)^ 


3. 


query • "^env ^ "^query ^ ^^env ® '^~iquery 
|3)r = X "^.''.^."VP^I«'N(«'0)p|s)i|o[n](s,0)ok)el^:a>q 


4. 


Uj.^g I 'hLparties ® ^ "T^out ® "T^query ^ "^parties ® "T^in ® "T^out ® '^query 


i4)r 


= Y aa:,s,A,ay/p^\v[n] {s, r))p|s) ■ |o[„] (s, r))^|a;) JA, Oi + SA, Oo + oa(s, r), o„ + ua(s, r))g 



Fig. 1. Purified run of multiparty computation in the real world with superposition attacks 
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5.2 MPC model in the 'Ideal world' 



Secondly we consider the ideal world, where a simulator is to simulate a real attack for the adversary 
using only the ideal functionality. The space for this model is, 

T~^total = T~l-idealF ® "^m ® Hout ® "^sim ® 'Henv ® T^query 

T~iin-,'Hout and 'Henv serve the same purpose as in the real world. 

sim denotes the subspace in which the simulator operates. 
T'Lquery is still the register where the adversary constructs his query, but the simulator will be allowed 
to change this before using it to query the ideal functionality. Finally, we have a space for the ideal 
functionality, T-LideaiF- This is necessary as wc want to purify the random choices made and we need 
the state of the ideal functionality to be entangled with the input register as the parties would be in 
the real world. We'll describe the unitaries that differ and refer to the earlier description for those 
that don't. There will be six unitaries in total. The initial state is, 

|imt)r = E«-|0)./|0).|0)o|0).l^)e|0), 

X 

where \init)^ G Titotal, \0)if G ntdealF, \0)i G ^m, |0)„ G nout, \0), G Tisim, \0)e G ^ env and 

|0)^ G T-Lquery: as should be expected from the notation. The superscript, iw^ denotes that it's in 
the ideal world. The first unitary is exactly as in the real world and hence, 

ii)r = E"-.^i%i«).|o)oio)»eio), 

x,s 

The ideal functionality now entangles itself with the input register and produces the correct outputs 
in the output register. This is a classical function of each view in superposition. We'll denote this 
unitary, i7*^f"'. 

Recall that any random choices are purified onto HidealF- The resulting state is therefore, 

|2)r = J2a,,sVP'r\s,r),f\s)^\o[^]{s,r))JO)^\x)JO)^ 

x,s,r 

The adversary constructs his query exactly as earlier, 

^query ' ^-env ® Hquery ^ H-env ® Hquery 

|3)r= Yl (^^,s,A,aVP^\s,r)if\s)-\o[ri]{s,r))JO)Jx)JA,a)g 

Now the simulator gets the query and must construct an appropriate response to the adversary, only 
using the ideal functionality. First the simulator is allowed to change the adversary's query using 
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an auxiliary register. Only requirement is that it is corruption preserving H. This is an arbitrary 
unitary operation. We'll denote it, C/^ 



TSim 
query ) 



^query • '^sim ^ T~Lquery ^ T~(-sim ^ T~Lquery 

Wt" = ax,2,s,A,a\/^|s,r).^|s).|o[„](s,r))Jz)Jj;)JA,a)g 

x,z,s,r,A,a 

Now the ideal functionality is run on the query from the simulator. This is a classical function that 
each corrupted subset and each view in the superposition which fills in the input and output into 
the response register. We'll denote this unitary, 

^res ' "^in ® '^out ® '^query ^ ® "^out ® "^query 

and the response register now contains input and output from the corrupted parties, but, of course, 
not their views. 

|5)r = Y ax,z,s,A,aVP^\s,r)if\s)i\o[n]{s,r))jz)Jx)JA,ai + SA,ao + OA{s,r),ay)^ 

x,z,s,r,A,a 

Next the simulator must try to simulate the response the adversary got in the real world. We'll 
denote this unitary, C/^*™, 



^res • T~^sim ^ 'Hquery ^ 'Hsim ^ 'Hguery 



The resulting state is 



|6>r = Oi'x,z,s,A,aVP^\Si'^)tf\s)iHn]{s,r)) Jz) Jx)JA,'ll;^^s,A,Ci) q- 



Finally, to see what state the adversary sees we must trace out the ideal functionality, the output 
and the simulator registers, 



tr (^|s,r).^(s',r'|^^«) |o[„](s,r)>^(o[„](s',r')|^«> 

r,r' ,s,s' ,z,z' 



r,r's,s'z,z' 



I adv 
'^r,s,z 



where \rr%) = E 

)el^; '^z,s,A,a)„- Again, we will sum up the steps below in Figure 



x,A,a 



m 

A MFC protocol is defined by the operator Urun (which in turn also defines U^^^^). A specific 
adversay is defined by the initial state (y-a\x) and the two unitary operators, U!?"^"" , U query ■ Finally, 



a simulator is defined by the two unitary operators, {Ug^^y,U^l^}. This allows for the following 
definition. 



That is, the probabihty of measuring a specific A is unchanged 
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Inital state: 


\init}r =^a,\0},, \0},\0) JO) Jx) JO) ^ 

X 


1. 


Uifi '. l~Lin ® l~ierLV ^ l~iirL ® l~ierLV 

|i>*'" = E«-.»|o>i/l«Klo>Jo>jx)jo)^ 

x,s 


2. 


Uout ' '^idealF ® 'Hin ^ l^out ~^ l^idealF ® 'Hin ^ 'Hout 

i2)r = E «-.^vp^i«.^>i/i«»[n](s,o)jo)jx)jo)^ 


3. 


U query ■ '^env ® '^~iquery ^ '^~ienv ® '^~Lquery 
x,s,r,A,a 


4. 


^query • '^sim ® T~iquery ^ '^~Lsim ® '^query 

|4)r = a-,-,3,A,aVP^|s,r).j.|s)i|o[„](s,r))j2:)Ja;)JA,o)^ 


5. 


|5>r = 53 "^.^.».'4.<'V^I«'0i/l«>ikw(S'0)ol«>Ja;)elAa< + SA,Oo + OA(s,r),o„)^ 


6. 


Ures • "^sim ® "^query ^ "^sim ® "^query 

x,z,s,r,A,a 



Fig. 2. Purified run of multiparty computation in the ideal world with superposition attacks 
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Definition 2. A pair of unitary operators, {Uq^j.y,U^l^} , are a perfect black-box simulator for the 
MFC protocol defined by Urun with adversary structure, F, if, and only if, for all auxiliary inputs, 
^^aa;|x), and all operators U^^'" ,U query , 

X 

= Tr,,o{m\7) = pZv = Tr,f,o,s{\Qmr) 

where 

\AYW _ TjoracleTjadv,FTjproTjadv\- ■^Y'^ 
P/t ~ ^res query run'^ in r"'"'/t 

TjsimjjidealTjsim Tjadv,FTTidealTjadv\- -jyiw 

l"/t ~ '^res '-'res query'^ query out '^in r'**''/* 

where we for readability assume that the operators are padded with appropriate identities on the 
subspaces they don't operate. 



5.3 No simulator for general MPC if U^^^y is unitary 

Consider a simple MPC protocol with a single dealer that deals a secret s G {0, 1} to a number of 
parties. Denote this dealer as the party, Pi. The adversary will not need an auxiliary register in the 
following and will therefore be left out of the equations. Let the adversary make a query, defined 
by Uquery '■ Hquery 'Hqueryi that is Only of the dealer and one more party where he puts the 
response register for the input in perfect superposition. The complete state after applying Uquery 
on the query register is, 

|3)r = XI '')>p|s)i |o[n](s, ■r))J^A, Ui, 0, 0)^ 



where A = {1,2} The state after applying the oracle is 



|4); 



XI -Jr^VP^hn]i^^ ^)>pl«)i |o[n](s, 'r))JA, ai + sa, 0, VAis, r))^ 



If we look at the final part of the query register {va{s, r)) we can see that it is in a classical state 
and contains the view of the dealer and one other party, that is, the randomness and one secret 
share. This uniquely defines the secret and hence the query register must be orthogonal for two 
diflFerent secrets. 

In the ideal world assume, for the time being, that U^^^y is the identity. The state after the oracle 
for the ideal functionality is applied is then, 



Since this is in perfect superposition over all values of Cj we can conclude that, 
1^)*" = X ^^1^' I^n(^' 0> JO) J a a, + SA, 0, 0)^ 



X^|fV^I*'''^»/l'''')il^N^*'^))ol°)sl^'"^'^'^)? 



r,a. 
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and the state the simulator sees is therefore independent of the secret. There's hence no way it 
can produce two orthogonal states depending on the secret and hence no way to simulate. For the 
case of a different simulator where U^^^y is not the identity, but some unitary operation on Tiquery, 
there exists a different adversary that applies the unitary, Uquery — Uquery {U^^j.y)'^ instead. The 
register the simulator sends to the oracle of the ideal functionality is now exactly the same as 
above, and the same argumentation can now be repeated. It follows that for any such simulator 
there exists an adversary that cannot be simulated. 



5.4 No simulator for quantum attacks by running classical simulator in superposition 

Unfortunately, it is not completely clear how to design a good quantum simulator, even assuming 
restrictions on F as in Theorem [T] for secret sharing and in the setting with created response 
registers. A natural first attempt would be to use a classical simulator (which we can assume 
exists) and produce a superposition of what it produces on those corrupted subsets that occur in 
the query. We can show, however, that this cannot work in general. 

Let us first make clear what we mean by running a classical simulator in superposition: con- 
sider a classical machine S which gets as input parties subset A, the inputs and outputs of 
those parties {sA,OAis)) and a random string c. It then outputs S{A, sa, OAis), c). Running S 
in superposition now means that on input \tp^^^) = ax,s,A\0) JA, sa, oa{s),0) we output 

AeF,c 

ax,s,A\/Pc\c) g\A, sa,oa{s), S{A, sa,oa{s),c))^. This means that the state returned to the ad- 
versary will be 

^ aAa\,\A){A'\ ® \sa,oa{s)){sa',oa'{s)\ ^"^p^SiA, sa, oa{s),c)){S{A' , sa' ,oa'{s),c)\ 

Now consider the following simple example protocol: we have 4 parties Pq, Pi, P2, P3. Player Pq 
gets as input a bit s. He will then secret share it additively among the other parties: he chooses bits 
ri , r2 at random and sends ri to Pi , r2 to P2 and s ® ri © r2 to P4 . There is no output defined for 
anyone. Clearly, this protocol is perfectly secure against a classical attack where at most 2 parties 
are corrupted. One might therefore hope that it would be perfectly secure against quantum attacks 
using superpositions of sets containing only 1 party. 

However, we now argue that such security cannot be shown by running any classical simulator 
S in superposition. To this end, consider the case where we corrupt all parties in equally weighted 
superposition. This will mean that the simulator has to start from the input state. 

^(l^o>k)|0) + j;|P.)|±)|0)) 

i=l 

The state has this form since the input and output for Pq is just s and the other parties have no 
input or output. The state returned will be 

Psim,s= ^ ^\A){A'\(g)\sA){sA'\'^^Pc\S{A,SA,c)){S{A',SA',c)\ 

A,A'e{{Po},{Pi},{P2},{PA}} c 
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If we define s^p.y = Si is some secret s if z = and _L otherwise, and index with Pi,Pii instead of 
A, A' , we can write the state a bit more conveniently as: 

Psim,s = ^ ^\Pi}{Pi'\ ^ \Si){Si'\ (g) Ypc\S{i,Si,c)){S{i',Si>,c)\ 

c 

On the other hand, we can compute the state Preai,s that would be returned from a real attack. 
Define Vi{s,ri,r2) to be the view of the protocol for Pi, defined as a 2-bit register. Thus 

vo{s,ri,r2) = {ri,r2),vi{s,ri,r2) = (n, 0), ?J2(s, n, = (^2, 0), ^3(5, ri, = (n r2 s,0). 

This means that the state returned for a particular choice of s,ri,r2 is 

1 ^ 

For fixed s, each choice of ri,r2 occurs with probability 1/4, so 

Preal,s= ^ ^ I'^s.n.ra ) ('^s.n.ra I = j^'^lPi) {Pi'\\si) {Si'\ ^ \vi{s, ri,r2)) {Vi' {s,ri, r2)\ 
r\,r2 ri,r2 

Consider the part of Psim,s that corresponds to Pi = Pq and P^i = Pi. Then, since we assume perfect 
simulation, i.e., psim,s = Preai,s, for any c, we must have S{Po,sa,oa{s),c) = S{0,s,c) = (ri,r2) 
and S{Pi',SA',OAi{s),c) = 5(l,_L,c) = (ri,0), where the same ri occurs in both strings, since in 
a real execution, Pi would of course receive the same bit that Pq sent. We get an exactly similar 
conclusion for Pj/ = P2, and for Pj' = P3, we can conclude that 5(3, _L, c) = (s © ri © ^2, 0). 

But now note that, we can simply compute S'(i,_L,c) for i = 1,2,3 and some fixed c. Then 
the above shows that if running 5 in superposition was a perfect quantum simulator, we could 
compute (s,0) = 5(l,_L,c) © 5(2,_L,c) © S(3, _L,c), without any information on s, which is of 
course a contradiction. 



5.5 Limited simulators 

The result in 15.31 stronglv suggests that it's impossible to construct a simulator for general MFC 
protocols in the setting with supplied response registers. In this section we will discuss the prob- 
lem of constructing a simulator for the model with created response registers and protocols for 
deterministic functions. That is, the output does not depend on the chosen randomness. While 
simulators in general consists of two operators, {U^^j,y,U^l'^}, we will restrict U'^^^^ to be the 
identity. That is, the query from the adversary is sent directly to the oracle. We can do this wlog 
because there's no values in the response register and U^^^^ must be corruption preserving. 

Assume all randomness is uniformly chosen. This can be done wlog and helps to unclutter the 
notation. For a specific protocol, define the matrix (or vector of states) M{A, s) as 

M{A,s) = {\A,VA{sM,---M.VA{s,r)),...,\A,VA{s,\'R\-l))) 

We can now express the security of the protocol in the following way 
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Lemma 2. A multiparty computation protocol for a deterministic function is perfectly secure against 
quantum F-attacks w, and only if, there exists a set of \R\ x \R\ unitary matrices {Us}s& such 
that for all s, s' £ S,r £ TZ, A £ Fs^s' where Fg^g' = {A £ F\sa = s'^ A Oyi(s) = oa{s')} 

M{A,s)Us = M{A,s')Us' 

Proof. Consider the final state the adversary sees (using the output is independent of randomness 
and only in the response registers), 



where \ip'^'^^) = ax,s,A\s)i\x)JA,SA,OA{s),VAis,r))^ and the state the simulator sees after the 

x,s,A 

oracle has been applied in the ideal world, 



where {ipx^) = ax,s,A\0) s\^^ ^A, oa{s),0) ^. The state the simulator must sent back is, 

A 

T^^'^x,r,s){'^Px,r,s\ 



x,r,! 



where 

\'^r,s) = Y sa, oa{s),va{s, r))g 

A 

To continue we need a claim that is almost equivalent to Theorem 4 in |CJW04j . but changed 
slightly for our specific purposes. For this reason we'll also provide a separate proof. The reader 
is encouraged to read |CJW04j for additional information on the existence of transformations 
between sets of quantum states. 

Claim. There exists a perfect simulator, i.e. p"^^ = p™^^, iff there exist unitary operator, such 
that for all X, s G S 



u'rt^\r:7) = t/.irE"-.^.^io)^i^'"^'°^(")'0)5 = -^Y.'^x,sAY.\^shAk)s\A,sA,oA{s)^vA{s, 

(7) 



■X, \'R.\ 



where [?7s]i,fc is the i, k index of a unitary matrix in some set of unitary matrices, {f/s}sgg 
Proof. For the forward direction, consider the final state the adversary sees 



k,s 
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where IV'^jl'') = ^ ax,s,A|s)j2;)e f 'Y^[Us]i,k—^\A, sa, OA{s),VA{s,i))^ j . Note that Vs, A, A', x, x', 



x,A 



X] Ws]i,kps]j,k\^^ ■SA, oa(s), ua(s, i)){A', SA',OA'is),VA'is,j)\ (8) 



^ ^Ps]i,kPs]i,k\^^ ^A, Oa{s),Va{s, i)) {A', SA',OA'{s),VA'{s, i)\ 

T^^^Pi\A,SA,OA{s),VA{s,i)){A',SA',OA'{s),VA'{s,i)\ 



^ ' i,k 



where we used that [C/s]i,fc is unitary and only depends on s. This means the adversary sees the 
state he expects (except for labels) and we've completed the proof for the forward direction. 
Conversely, assume for contradiction that there is a simulator that can constructs the correct 
mixed state for the adversary, but none that can construct one of the form of equation ([7]). If 
Pk\4'x,k,s){4'x,k,s\ is the state the simulator sents back, then it must be that Vx, s : 

x,kyS 

^Pk\4>x,k,s){4>x,k,s\ = ^ T^Alpx,r,s){lpx,r,s\ 

where 

\A,s) = ^ax,s,A|^,SA,Oyi(s),WA(s,r))q 
A 

This is true if, and only if, there exists unitary matrices, {Ux,s}x,s^ such that. 
By purifying the state we see we get, 

^VPk\k)\(t)x,k,s) = l—r ^[Ux,s]i,k\k)\i^x,i,s) = -^=^Oix,s,A^[Ux,s]i,k\f^)s\A,SA,0A{s),VA{s, 
k V I I jjfc V I I A i,k 

Note that we can choose the purification because all purifications are unitarily equivalent. And since 
the value of x only effects the amplitude we can, by linearity, assume that Ux,s does not depend 
on X. This shows that the state produced by any perfect simulator must be of that form. This is a 
contradiction and completes the proof. □ 

C/^l^ exists (and is unitary) if it preserves inner product between all possible states, hence we 
can conclude that there exists a perfect simulator if there exists a set of unitary matrices, {?7s}sg§ 
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such that for all x, x', s, s' G S and all queries {ax,s,A}, {d^i g' a} 

(E <.,a(OL(A sa, oa{s), oy 4,_,,^^,|0),|A', s'a,,oa,{s'), 0>^) 

A A' 

= 1^ (^"*x,sA^\.^s]iMk\si^'^A,OAis),VA{s,i)\^ 

^'x',s\A' Yl^Us']j,k' \k')^\A',s'j^,,OA'{s'),VA'{s',j))^ 
A' j,k' 

For the LHS we have that, 

(E <^,a(OL(^, sa, oa{s), (E 4. ,.,a'|0).|^', s'^,,oa'{s'),0)^) 

A A' 

= Yo!l^s^A'^'^',s',A^SA,OAis)\\sA,OA{s)) = E «x,s,A«x',s',A 



For the RHS we get that, 



^E "*x,s,AY\.^s]i,k{^\s{^' SA, OA{s),VAi.S, j 
E "'x',s',A' Yj I^'^'li:*--' I ^')s I ■^A' . OA' (s') . ^A' (s', i) ) 



j,k' 

= 1^ E «^,s,A"x^s^A[t^s1^,fc[^^^']j,fc(sA,OA(s),WA(s,^)||sA^OA(sO>^^A(s^j 

As the state in equation ([7D must be normalized it follows that the maximum value of 

][Us']j,k\AvA{s',j)) 



1^ (^Y.iu:u{A,vA{s,z)\^ r£i 



is j:^, so for the entire sum is only one if, and only if. 



i j 

Hence we see that, there exists a simulator iff there exist \TZ\ x \TZ\ unitary matrices Us such that 
for all s,s' €S,k eTl,A£ Fg^s' 

Y[Us]i,k\AvAis,i)) = Yi^s'kk\AvAis',j)) (9) 
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Using the definition of M{A, s) we can now write the requirement in the more convenient way: 
There exists a simulator for the MPC protocol if, and only if, there exist a set of unitary matrices, 
{C/s}sg§, such that for all s, s' £ §, A £ Fs^s' '■ 

M{A,s)Us = M{A,s')Us' 

which completes the proof of Lemma [2j □ 

We'd like to warn the reader that it is important not to confuse the unitary matrices, {C/s}sg§, with 
the simulator itself. They are merely a tool to show the existence of one. Also, at this point the 
reader would be excused for lacking any intuition on why the lemma is reasonable. We therefore 
find it instructive to consider two examples. First we'll reconsider secret sharing in this framework 
and secondly a simple MPC protocol. 

5.6 Secret sharing example 

For this example we'll show that all secret sharing schemes secure against superposition F-attacks 
in fact satisfies the requirement in Lemma[2] (as they should). This does not add to what we already 
knew and is only meant to illustrate the principles. We'll allow each choice of randomness to be 
non-uniform as it adds only very little clutter. We note that since no parties have any input or 
output we have that for all s, s' G S : Fg^s' = F- The result follows as a Corollary of Theorem [T] 

Corollary 1. If a secret sharing scheme S is perfectly secure against quantum F-attacks then there 
exists a set of \TZ\ x \TZ\ unitary matrices {Us}ses such that for all s, s' £ E,r £ TZ, A £ F 

Pi[Us]i,r\vA{i, s)) = V^[t/s']i,r|wA(j,s')) 



ien jen 

Proof. Since the secret sharing scheme is secure we know from Theorem [T] that the joint distribution 
of the view for any A,A'gF is independent of s and hence, for all s, s' G §; 

CTs = '^Pr\tps,r){lps,r\ = CTs' = Pr\lps' ,r) {ips' ,r\ 

where 

IV's.r) = ^ aA\A)\vA{r, s)) 

AeF 

This is equivalent to saying that the fidelity of two such states is 1. According to Uhlmann's 
Theorem this implies that there exists purifications of ag and as' such that their inner product is 
1. Unitary equivalence of purifications implies you can write any such purification m'H(^TZ, where 
dim{TZ) = \Tl\, as 

ken i,ken 
where {C/s}sg§ is a set of \1Z\ x \R\ unitary matrices. As the fidelity must be 1, it must be that for 
all s, s' G S 



Y ^/Pi[U*s]i,k{lpsA{k\n\ Y \fP'j[U3']j,k'\lps'j)\k')^\= ^ VPiy/Pj[U*s]i,k[Us']j,k{^sA\i^ 

yi,ken ) \j,k'en J ijMTi 

AeF,ken \ien / \jen 



25 



Because l^ylP = 1 and noting the states are normalized, we can conclude that 



Vs,s'GS,A;G7^,AGF: [ ^ v^[C/;]i,fc(^;A(i, s)| j [Y, Vl^iUs']j,k\vA{j, s')) \ =1 



From which the result follows. 



□ 



5.7 Simple MPC simulator example 

For this example we return to the simple four-party {Pq, Pi, P2, P3) bit-sharing scheme consid- 
ered in section 15. 4[ There we showed that we could not simulate an attack by simply running a 
classical simulator for the protocol in superposition. We are now in position to show that a simu- 
lator nonetheless exists. Recall that |fo(s, tq, ri)) = |ro, ri), ro, ri)) = |ro, 0), |f2(s, ri, r2)) = 
\ri,0) ,\vs{s,ro,ri)) = |ro ri ©s,0). We have two possible inputs s £ {0,1} so we need to find 
two unitary matrices, Uq, Ui in order to apply Lemma [2j These have been found manually. 

/I 0\ 
100 
00 10 
VOOO 1/ 



/I 1 1 _i\ 



22 22 

1 _i 1 1 

2 222 
_i 1 1 1 / 

22 2 2 / 



It is a tedious, but straight forward, calculation to show thai0, 

M(Pi,0) =M(Pi,l)C/i 

M(P2,0) =M(P2,l)f/i 
M{Ps,0) = M{Ps,l)Ui 

and since Pq ^ -Fo,i we do not require that M(Pq,0) = M{Pq, l)Ui. To get a better feeling for what 
is going on we'll consider equation ([9]) for two specific choices for A and r. First let A = P2 and 
r = (1,0). The following must be true for the unitary matrices to be correct choices. 



|P2,^'P2 (0,(1,0))) 



Yl [^l](io,n),(l,0)l^2,WP2(l,(io,il))) 

(io,ii)G7?^ 



Since Uq is just the identity, the LHS is easy to calculate, |P2!^^P2(0) (1)0))) = |0,0) For the RHS 
we see that 

(io,n),(i,o)l^2,^^P2(l, {io,h))) 

= l|P2,i^P2(l,(0,0))) -l|P2,^P2(l,(0,l)))+^|P2,^^P2(l,(l,0)))+^|P2,t^P2(l,(l,l))) 

= ^|0,0)-i|l,0) + i|0,0) + ^|l,0) = |0,0) 



Note that we encode the randomness as (0, 0) = 0, (0, 1) = 1, (1, 0) = 2, (1, 1) = 3 
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Of particular interest is A = P3 as the view depends on the secret (for fixed randomness). Choose 
r= (0,0): 

\P3,vp,{0,{0,0))) = Yl [Ul]ii„i,Uo,0)\P3,Vp,{l,{io,k))) 
For LHS, |P3,WP3(0, (0,0))) = |0,0). For RHS, 



[^l](io,*i),(0,0) 1^3, ^'PaCl, (^0, n))) 

(jo,ii)e7?. 

^|P3,i'P3(l,(0,0))) +^|P3,^P3(1,(0,1))) +^|^'3,^^P3(1,(1,0))) -^|P3,^P3(1,(1,1))) 

^|1,0) + ^|0,0) + J|0,0) - ^|1,0) = |0,0) 



2' ' ' 2' ' ' 2' ' ' 2 
5.8 General MPC 

In this section we'll give a restatement of Lemma O expressing the requirement for the existence 
of a simulator as an explicit property of the multiparty computation protocol. This will allow for a 
straight-forward, albeit extremely inefficient, method for checking the security of any deterministic 
MPC protocol in this model. For all ordered pairs of inputs, s, s' E §, and all sets A G we'll 
associate a permutation of the randomness, {t^s,s' ,a\ s,s' ,A&F^ ^, G S{TZ). By ordered pairs we mean 
that TTs^gi^A may differ from TTg/^s^A- 

Theorem 3. A multiparty computation protocol for a deterministic function is perfectly secure 
against quantum F-attacks with created response registers if, and only if, there exist permutations, 
{^^3,8' ,a}s,s' ,A&F I with the following two properties. 



1. 



Vs,s' G S,VA G Fs,s>,yr G 7^ : 
\vA{s,-ns,s',A{'^))) = \va{s' ,1Ts',s,AiT))) 



\fs,s',s" G §,V^ G Fs^s',A' G Fs^s" ■■ 
Y \vA{s,r)){vA'{s,r)\ = ^ \vA{s,7rs,s,^A{r))){vA'{s,TTs,s",A'{r))\ 

Note that property (1) is exactly the statement that a (not necessarily efficient) simulator exists in 
the classical model. 

Proof. Before we begin we'll need the following claim. 

Claim. We can without loss of generality assume that all the rows (and columns) of Us sum to 1. 
Proof. First recall that according to Lemma [2] we have that there is a simulator iff 

3t/o,--- ,f^|s|-i St. 
Vs, s G S, G Fs,s' ■■ M{A, s)Us = M{A, s')Us> 
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For any solution we can always multiply with C/g on the right side of all equations and we can 
hence wlog assume that Uq = I. Now consider Vs G S the equation, 

e Fo,s : M{A, 0) = M{A, s)Us 

That is, 

Vr e7^: J2Ps]r,k\AvA{s,k)) = \vA(,0,r)) 
ken 

Hence all rows (and columns) of Us must sum to 1. □ 

We can, in other words, view M{Aq^s, s)Us simply as M(^o,s,0) under some permutation of the 
columns. In fact, since Us must always preserve the length of the columns, any M{A, s)Us is always 
just a permutation of the columns in M{A,s). Although the permutation is defined by the same 
unitary it is not necessarily the same permutation. But they're clearly related. We will make this 
relationship explicit by separating the requirement for a simulator into two parts. Let M'^''-'''-^{A, s) 
denote the permutation of the columns in M{A, s) that corresponds to applying the permutation 
function to the randomness for the view in each column, that is, 

M"-.-'.A(^, s) = {\A, va{s, tTs,s',a(0)))^- • • ' I^' Ms, TTs,s'Ar))), . . .) 

The first requirement is simply the statement that for A E some permutation of the random- 
ness exist to allow their views to be equal for s and s' . The second is the statement that, when 
the input to the parties are the same, these permutations must be performed by the same unitary 
matrix. That is, there exists a simulator if, and only if, there exist permutations, {TTs,s',A}s,s',AeF^ ^, 
with the following two properties, 

1. 

Vs,s' e S,V^ e Fs^s' ■■ 

2. There exist unitary matrices, {C/^lsgs, such that Vs,s',A G F,,^' : M{A,s)Us = M''''>'='>-4(A, s). 

For a specific choice of permutations such unitary matrices exist iff they preserve the inner product. 
That is, iff 

Vs,s',s" G §,V^ G Fs,s',A' G Fs^s" ■ 
M{A,s)M{A',s)^ = M^-'-''A{A,s)M^-'-"^A'{A',s)^ 

Writing out the equations using the definition of M{A, s) we conclude the proof. □ 

Had the choice of corrupted parties been classical we could have let the unitary matrices depend 
on both the input and which party was corrupted. Specifically, in equation ([8]), the reason the 
unitaries cannot depend on A is that Ws,A]i,k[Us,A']j,k does not cancel out correctly if they 

i,j,keTl 

differ and the adversary would not see the correct state. If the choice of A was classical we would 
see no such cross-terms El and no such relationship would be required. 

^ Recall that there are no cross-terms for s because the input register is perfectly entangled with the parties/ideal 
functionality 
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